CN112988501B - Alarm information generation method and device, electronic equipment and storage medium - Google Patents

Alarm information generation method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112988501B
CN112988501B CN201911304633.0A CN201911304633A CN112988501B CN 112988501 B CN112988501 B CN 112988501B CN 201911304633 A CN201911304633 A CN 201911304633A CN 112988501 B CN112988501 B CN 112988501B
Authority
CN
China
Prior art keywords
event
behavior
specified
graph
alarm information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911304633.0A
Other languages
Chinese (zh)
Other versions
CN112988501A (en
Inventor
马长春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201911304633.0A priority Critical patent/CN112988501B/en
Priority to PCT/CN2020/136704 priority patent/WO2021121244A1/en
Priority to EP20903246.5A priority patent/EP4080368A4/en
Publication of CN112988501A publication Critical patent/CN112988501A/en
Application granted granted Critical
Publication of CN112988501B publication Critical patent/CN112988501B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • G06F11/3072Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
    • G06F11/3075Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting the data filtering being achieved in order to maintain consistency among the monitored data, e.g. ensuring that the monitored data belong to the same timeframe, to the same system or component
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/86Event-based monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/865Monitoring of software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Mathematical Physics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method and a device for generating alarm information, electronic equipment and a storage medium, wherein the method comprises the following steps: extracting behavior data in the terminal; constructing an event abnormal graph according to the behavior data; edges in the event anomaly graph represent behavioral events; determining an abnormal value of a specified behavior event in the event heterogeneous graph; taking the specified behavior event corresponding to the abnormal value meeting the alarm condition as alarm information; the method improves the accuracy and reliability of the generated alarm information by using the abnormal value; the method can directly improve the accuracy of the alarm information through the abnormal value, so that the conditions that the detection rate of the malicious events is ensured by increasing the data volume in the alarm log in the related technology, the data volume of the alarm log is huge, the false alarm rate of the malicious events is high, and the real malicious events needing to be alarmed are submerged due to the excessive number of the behavior events in the alarm log can be avoided.

Description

Alarm information generation method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method and an apparatus for generating alarm information, an electronic device, and a storage medium.
Background
A terminal may have a large number of behavioral events during use. Some of these behavioral events are in line with the expectations of the user, and some are malicious events that are executed outside of the expectations of the user. The occurrence of malicious events can cause different degrees of harm to the terminal and can even destroy the usability of the terminal. Therefore, when a malicious event exists in the terminal, the user needs to be reminded to protect the terminal.
The current reminding mode is that when a predetermined behavior event is observed by adopting an indicator model, a related behavior event is recorded, an alarm log is generated, and a user is reminded to protect a terminal through the alarm log. However, the alarm log generated by adopting the indicator model has the problems of huge data volume and high false alarm rate of malicious events.
Disclosure of Invention
The invention aims to provide an alarm information generation method, an alarm information generation device, electronic equipment and a storage medium, which are used for generating alarm information through an event abnormity graph, so that the accuracy and the reliability of the generated alarm information are improved, and the fact that a real malicious event is omitted due to the fact that the number of log information in an alarm log is too large is avoided.
In order to solve the above technical problem, the present invention provides an alarm information generating method, including:
extracting behavior data in the terminal;
constructing an event abnormal graph according to the behavior data; wherein edges in the event anomaly graph represent behavioral events;
determining an outlier of a specified behavioral event in the event isomerous graph;
and taking the specified behavior event corresponding to the abnormal value meeting the alarm condition as alarm information.
Optionally, the constructing an event anomaly graph according to the behavior data includes:
dividing the behavior data into corresponding time periods according to behavior occurrence time;
constructing a time period event heteromorphic graph according to the behavior data corresponding to each time period;
and forming the event heterogeneous graphs of the time periods into event heterogeneous graphs.
Optionally, the specified behavior event is all behavior events in the event anomaly map; or the specified behavior event is all behavior events corresponding to the obtained initial alarm information.
Optionally, the taking the specified behavior event corresponding to the abnormal value meeting the alarm condition as alarm information includes:
and arranging the abnormal values in a descending order, and taking the specified behavior events corresponding to the abnormal values of the previous preset number as alarm information.
Optionally, the determining an abnormal value of a specified behavior event in the event heterogeneous graph includes:
acquiring a probability value of the occurrence of the appointed behavior event according to the event abnormal picture;
and determining an abnormal value of the specified behavior event according to the probability value.
Optionally, the obtaining a probability value of occurrence of a specified behavior event according to the event anomaly graph includes:
according to the event anomaly map, acquiring the activity of a source vertex and the activity of a destination vertex of a specified behavior event, and the first frequency of the specified behavior event appearing in the event anomaly map;
acquiring a second frequency of similar behavior events corresponding to the specified behavior events appearing in the event anomaly map; wherein the source vertex of the similar behavior event has the same label as the source vertex of the specified behavior event, and the destination vertex of the similar behavior event has the same label as the destination vertex of the specified behavior event;
and acquiring the probability value of the occurrence of the specified behavior event according to the activity of the source vertex, the activity of the target vertex, the first frequency and the second frequency.
Optionally, the determining an abnormal value of the specified behavioral event according to the probability value includes:
and determining the abnormal value of the specified behavior event according to the probability value and the negative correlation relationship between the probability value and the abnormal value.
Optionally, the extracting the behavior data in the terminal includes:
and extracting the behavior data in the terminal from the third party log and the API log.
In another aspect, the present invention further provides an apparatus for generating alarm information, including:
the extraction module is used for extracting the behavior data in the terminal;
the abnormal graph generating module is used for constructing an event abnormal graph according to the behavior data; wherein edges in the event anomaly graph represent behavioral events;
an abnormal value determination module, configured to determine an abnormal value of a specified behavior event in the event heterogeneous map;
and the alarm information determining module is used for taking the specified behavior event corresponding to the abnormal value meeting the alarm condition as the alarm information.
In yet another aspect, the present invention also provides an electronic device, including:
a memory for storing a computer program;
and the processor is used for realizing the alarm information generation method when executing the computer program.
In still another aspect, the present invention further provides a storage medium, where computer-executable instructions are stored, and when the computer-executable instructions are loaded and executed by a processor, the method for generating alarm information as described above is implemented.
Therefore, the method constructs the event abnormal graph by utilizing the extracted behavior data in the terminal, determines the abnormal value of the corresponding behavior event by utilizing the event abnormal graph, and can determine the finally needed alarm information according to the abnormal value. Namely, the method can determine the abnormal value of the behavioral event through the event heterogeneous graph, can determine the possibility that the corresponding behavioral event is a malicious event through the abnormal value, and finally selects the behavioral event needing to be warned according to the abnormal value to generate warning information. Furthermore, the method improves the accuracy and reliability of the generated alarm information through the abnormal value; the method can improve the accuracy of the alarm information directly through the abnormal value, so that the conditions that the detection rate of the malicious events is ensured by increasing the data volume in the alarm log in the related technology, the data volume in the alarm log is huge, the false alarm rate of the malicious events is high and the condition that the real malicious events needing to be alarmed are submerged due to the excessive number of the action events in the alarm log can be avoided. Therefore, compared with the related technology, the method can improve the reliability and accuracy of the alarm log and reduce the data volume of the alarm log.
Correspondingly, the invention also provides an alarm information generating device, electronic equipment and a storage medium, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an alarm information generating method according to an embodiment of the present invention;
FIG. 2 is a flowchart of an embodiment of the present invention for constructing an event anomaly map;
FIG. 3 is a flow chart of determining outliers for a given behavioral event according to an embodiment of the present invention;
fig. 4 is a block diagram of an alarm information generating apparatus according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, malicious events occur frequently due to the defects of protective measures, the weak safety consciousness of users and the like. The malicious event refers to a behavior event which is executed by a hacker outside the expectation of a user by invading the terminal through an illegal means. The occurrence of malicious events can cause an undue harm to the terminal, such as: data leakage (leakage of key data, business secrets, employee information, customer data, etc.) which can cause immeasurable loss to the user; terminal data (such as lasso software) is encrypted, that is, a hacker cannot use the terminal by encrypting data in the terminal, and the usability of the terminal is damaged. And hackers usually use asymmetric encryption, are difficult to decrypt without a private key, and have to pay the hacker a large amount of redemption in order to restore the terminal's availability; in addition, a hacker may also control the terminal to become a broiler (also called a puppet, which may refer to a machine remotely controlled by the hacker) through account blasting, vulnerability exploitation, and the like, so that the terminal participates in other network attack behaviors such as DDOS (Distributed denial of service attack) and the like. Therefore, when a malicious event exists in the terminal, the user needs to be reminded to protect the terminal.
In the related art, a method for generating an alarm log related to a malicious event is as follows: and recording related behavior events and generating an alarm log when the occurrence of the predetermined behavior event is observed by adopting the indicator model. Wherein the predetermined behavior event is a user-defined behavior event which may be a malicious event. Generally, the predefined behavior events defined by the user are relatively wide, so that the missing detection condition of malicious events is reduced. As can be seen, because the predetermined behavior events include more behavior events that are not malicious events, the alarm log generated by the method has a large amount of data, the log data corresponding to the true malicious event in the alarm log has a small percentage, and the false alarm rate is high, which may cause the log data corresponding to the true malicious event to be submerged in a large amount of log data corresponding to the normal behavior. Furthermore, after the alarm log is obtained, a large amount of manpower and material resources are still needed to maintain the alarm log, for example, a user needs to construct a strong Security Operations Center (SOC) and the like to maintain the alarm log.
The embodiment of the invention improves the accuracy of the alarm log through the event abnormal graph, thereby solving the problems. Referring to fig. 1 in detail, fig. 1 is a flowchart of an alarm information generating method according to an embodiment of the present invention; the method can comprise the following steps:
and S101, extracting behavior data in the terminal.
The embodiment of the invention needs to audit the behavior data generated in the terminal, and further determines whether the terminal has a malicious event. Therefore, when generating the alarm information, the embodiment of the present invention needs to extract the behavior data in the terminal first. It should be noted that, in the embodiment of the present invention, the source of the behavior data is not limited. For example, an API (Application Programming Interface) call sequence may be used as the behavior data; or the related data in the third-party log can be used as behavior data; of course, the API call sequence and the related data in the third-party log may be used as the behavior data to be extracted at the same time.
It can be understood that the embodiment of the present invention analyzes the extracted behavior data, and further determines the behavior event that needs to be used as the alarm information. Therefore, the more comprehensive the extracted behavior data is, the more accurate the obtained alarm information is, and the condition of missed detection of malicious events can be avoided. That is, in order to further improve the accuracy and reliability of the generated alarm information, the embodiment of the present invention may simultaneously use the API call sequence and the related data in the third-party log as the behavior data that needs to be extracted. Accordingly, the process of extracting the behavior data in the terminal may include: and extracting the behavior data in the terminal from the third party log and the API log. Of course, the embodiment of the present invention does not limit the manner of obtaining the third-party log and the API log corresponding to the terminal, as long as the third-party log and the API log corresponding to the terminal can be obtained.
The behavior data according to the embodiment of the present invention may refer to a bottom-level behavior executed in the terminal operation process. For example, reading and writing of files, creation of processes, execution of processes, and the like. The embodiment of the present invention does not limit the specific content of the behavior data.
It should be noted that, the embodiment of the present invention is not limited to a terminal, and the terminal may be a device for inputting user information and outputting a processing result, for example, the terminal may be a personal computer, a notebook computer, a mobile phone, a server, or the like.
S102, constructing an event heteromorphic graph according to the behavior data; wherein edges in the event anomaly graph represent behavioral events.
According to the embodiment of the invention, the abnormal value of the specified behavior event in the event heterogeneous graph can be rapidly determined by constructing the event heterogeneous graph corresponding to the behavior data. That is, in the embodiment of the present invention, all the extracted behavior data are converted into the event heterogeneous graph and displayed, so that the abnormal value of the specified behavior event of each event is calculated in the event heterogeneous graph, and further, the alarm information is generated according to the abnormal value. And because the event heterogeneous graph can be combined with various data sources, the relationship among all behavior events can be visually expressed, and therefore, the reliability and the accuracy of the obtained abnormal value can be improved.
It is understood that the event heteromorphism belongs to a heteromorphism Graph (HG for short), wherein, graph (Graph), graph terminology, e.g., graph G may refer to a triple (V, E, I), wherein V is called a vertex set, E is called an edge set, and E is disjoint from V; i is called a correlation function, which maps each element in E to. If edge e is mapped to (u, v), then edge e is said to connect vertices u, v, and u, v are said to be the endpoints of edge e, u, v now being adjacent with respect to edge e. Also, if two edges i, j have a common vertex u, i, j is said to be adjacent to u. The heterogeneous graph is a graph theory term, in general, vertexes and vertexes in the graph have the same type, edges and edges have the same type, but in real life, the connection between different types often exists, and therefore, on the basis of the graph, auxiliary information is added to each vertex to support different types of vertexes to form the heterogeneous graph. Common auxiliary information may include: tags (for labeling class information), attributes (for labeling specific attribute information), vertex characteristics (for labeling vertex-specific attributes), information propagation (for labeling information propagation paths), knowledge bases (for labeling additional knowledge about vertices), and the like. The event anomaly map in the embodiment of the present invention may be a directed map (directed map) or an undirected map (undirected map). Both of these terms are graph theory terms, in a graph, if an edge has directionality, that is, if two vertices of an edge, the distinction between an active vertex and a destination vertex can be called as a directed graph, and if an edge does not have directionality, that is, if two vertices of an edge do not have distinction between an active vertex and a destination vertex, the graph can be called as an undirected graph. Of course, the embodiment of the present invention does not limit whether the constructed event anomaly graph is a directed graph or an undirected graph, and may determine the event anomaly graph according to the actual situation of the behavior data. For example, if the behavior event corresponding to the behavior data has directionality, the constructed event anomaly graph is a directed graph.
It should be noted that the embodiment of the present invention does not limit the manner in which the event anomaly map is constructed according to the behavior data. For example, it may be in the form of traversing the behavior data, translating the behavior data into two vertices and an edge, adding the edge to the edge set if the current vertex is already in the vertex set, adding a new vertex in the vertex set if the current vertex is not in the vertex set, and adding the edge to the edge set. The edges in the event anomaly graph represent behavior events, and each behavior datum can correspond to one behavior event.
S103, determining abnormal values of the specified behavior events in the event heterogeneous graph.
It should be noted that the abnormal value in the embodiment of the present invention is used to characterize the possibility that the behavioral event belongs to a malicious event in the event heterogeneous graph. That is, the possibility that the corresponding behavioral event is a malicious event can be clarified by the abnormal value. Therefore, the embodiment of the invention can directly determine the possibility of the event belonging to the malicious event according to the abnormal value corresponding to each specified behavior event in the event anomaly graph, and further takes the specified behavior event corresponding to the abnormal value meeting the alarm condition as the alarm information. Of course, the embodiment of the present invention does not limit the number of the specified behavior events, for example, the specified behavior event may be a part of the behavior events in the event anomaly map, for example, any behavior event in the event anomaly map may be used, or any plurality of behavior events in the event anomaly map may be used. Of course, all the behavior events in the event anomaly map may also be used, and the user may set the specified behavior event according to actual requirements.
Therefore, the embodiment of the invention can avoid the problems that the detection rate of the malicious event is ensured by increasing the data volume in the alarm log (namely, the preset behavior event with wide setting range and loose condition for the indicator model) in the related technology, the data volume in the alarm log is huge, and the false alarm rate of the malicious event is high. Therefore, compared with the related technology, the embodiment of the invention can improve the reliability and the accuracy of the alarm information and reduce the data volume of the alarm information; namely, the generated alarm information has the advantages of controllable alarm information data volume, high alarm information accuracy and traceability (each behavior event related to the specified behavior event and the internal relationship between the behavior events can be acquired through the event anomaly map) through the abnormal values.
It should be noted that, the embodiment of the present invention does not limit the determination manner of the specified behavior event, and the user may set the determination manner of the specified behavior event according to the actual application scenario. For example, in an application scenario, when a user needs to acquire alarm information corresponding to a terminal, all behavior events in an event abnormal graph can be directly used as specified behavior events in order to ensure accuracy and comprehensiveness of the acquired alarm information and avoid missing detection of malicious events. The application scenario is that when a user needs to analyze the alarm information obtained by the current alarm system, determine whether false alarm exists in the alarm information obtained by the current alarm system, and further simplify the alarm information obtained by the current alarm system, so as to optimize the efficiency of the SOC, that is, when it needs to judge whether normal behavior events exist in the alarm information obtained by the current alarm system, the alarm information corresponding to the normal behavior events in the alarm information obtained by the current alarm system is removed, so as to reduce the number of the alarm information, further reduce the workload of the SOC, and improve the efficiency of the SOC, in order to ensure the removal effect, all behavior events corresponding to the input initial alarm information can be used as designated behavior events. The embodiment of the invention does not limit the initial alarm information, and can acquire the alarm information of which the accuracy of the alarm information needs to be judged, for example, the initial alarm information can be the alarm information acquired by the current alarm system.
The embodiment of the present invention does not limit the manner of determining the abnormal value of the specified behavior event in the event heterogeneous graph. For example, whether each specified behavior event is a malicious event can be directly confirmed through the probability value of the occurrence of the specified behavior event in the event heterogeneous graph. Or obtaining the probability value of the occurrence of the specified behavior event according to the event heteromorphic graph; and determining the abnormal value of each specified behavior event according to the probability value, and further determining whether each specified behavior event is a malicious event according to the obtained abnormal value. Of course, the embodiment of the present invention does not limit the manner of obtaining the probability value of the occurrence of the specified behavior event according to the event anomaly graph. For example, the number of occurrences of the specified behavior event in the event heterogeneous graph and the total number of behavior events in the event heterogeneous graph may be counted, and the two are divided to obtain the probability value of the occurrence of the specified behavior event in the event heterogeneous graph. And each appointed behavior event is calculated according to the method to obtain a corresponding probability value. Or counting the occurrence times of the specified behavior events in the event heterogeneous graph, and dividing the occurrence times of the similar behavior events corresponding to the specified behavior events in the event heterogeneous graph by the occurrence times of the specified behavior events to obtain the probability value of the specified behavior events. Calculating each appointed behavior event according to the mode to obtain a corresponding probability value; and the source vertex of the similar behavior event has the same label as the source vertex of the specified behavior event, and the destination vertex of the similar behavior event has the same label as the destination vertex of the specified behavior event. Or counting the occurrence times and the activity of the specified behavior events in the event heterogeneous graph, and the occurrence times of similar behavior events corresponding to the specified behavior events in the event heterogeneous graph, and calculating the probability value of the occurrence of the specified behavior events according to the statistical data. And each appointed behavior event is calculated according to the method to obtain a corresponding probability value. Of course, the embodiment of the present invention does not limit the manner of obtaining the liveness corresponding to the specified behavior event in the event heterogeneous graph, and for example, the liveness may be determined according to the out-degree of the source vertex and the in-degree of the destination vertex corresponding to the specified behavior event. Out Degree (Out Degree, which may be abbreviated as OD): refers to the number of edges in the directed graph that have a vertex as the source vertex. In Degree (In Degree, which may be abbreviated as ID): the number of edges of a vertex in a directed graph that is targeted at a certain vertex.
Of course, the embodiment of the present invention does not limit the manner of determining the abnormal value of each specified behavioral event according to the probability value. For example, the abnormal value of the specified behavioral event may be determined according to the negative correlation between the probability value and the abnormal value, and each specified behavioral event is calculated in this manner to obtain a corresponding abnormal value. It should be noted that the negative correlation between the probability value and the abnormal value is not limited in the embodiment of the present invention. The user can set and modify the negative correlation relationship according to the actual situation.
And S104, taking the specified behavior event corresponding to the abnormal value meeting the alarm condition as alarm information.
The embodiment of the invention does not limit the content of the alarm condition, and the user can set the corresponding alarm condition according to the actual application scene. For example, the alarm condition may be a set alarm threshold; but also the amount of alarm information required, etc. Of course, the embodiment of the present invention does not limit the specific numerical values of the alarm threshold and the required number of alarm information, and the user sets and modifies the alarm threshold and the required number of alarm information according to the actual application scenario. Correspondingly, the embodiment of the invention does not limit the execution process of taking the specified behavior event corresponding to the abnormal value meeting the alarm condition as the alarm information. For example, when the alarm condition is a set alarm threshold, the corresponding process of using the specified behavior event corresponding to the abnormal value meeting the alarm condition as the alarm information may include: and comparing the abnormal value with the alarm threshold, and if the abnormal value is greater than the alarm threshold, taking the specified behavior event corresponding to the abnormal value as alarm information. It is understood that when there are a plurality of designated behavioral events, there is a corresponding abnormal value for each designated behavioral event, and therefore, the above comparison process needs to be performed for each abnormal value. When the alarm condition is that the specified behavior event corresponding to the abnormal value of the previous preset number is used as the alarm information, the corresponding process of using the specified behavior event corresponding to the abnormal value meeting the alarm condition as the alarm information may include: and arranging the abnormal values in a descending order, and taking the specified behavior events corresponding to the abnormal values of the previous preset number as alarm information. For example, the abnormal values obtained in step S103 are sorted from large to small, and the top N1 designated behavior events are used as the warning information, but of course, the embodiment of the present invention does not limit the specific numerical value of the top preset number, that is, the specific numerical value of N1.
It should be noted that, the embodiment of the present invention does not limit the specific form of the warning information, and the user may set and modify the warning information according to actual requirements. For example, the alarm information may be in the form of a log, i.e., an alarm log, or in the form of a table, etc.
Further, in order to enable the user to acquire the warning information in time, the warning information can be output to the user. Of course, the embodiment of the present invention does not limit the specific manner of outputting the alarm information. For example, the alert information may be output by the IM system; the alarm information can also be output through a mail system; the alarm information can also be output through a short message system; the alarm information can also be output through a log system; of course, it is also possible to use an overlay of at least two of the above methods to convey potentially threatening information to the user.
Based on the above technical solution, the embodiment of the present invention provides a simple and efficient alarm information generating method, and the embodiment constructs an event heteromorphic graph by using the extracted behavior data in the terminal, determines an abnormal value of a corresponding behavior event by using the event heteromorphic graph, and can determine finally required alarm information according to the abnormal value. Namely, the abnormal value of the behavioral event can be determined through the event anomaly graph, the possibility that the corresponding behavioral event is a malicious event can be determined through the abnormal value, and finally the behavioral event needing to be warned is selected according to the abnormal value to generate warning information. Therefore, the accuracy and the reliability of the generated alarm information are improved through the abnormal value; and because the embodiment can directly improve the accuracy of the alarm information through the abnormal value, the problems that the detection rate of the malicious event is ensured by increasing the data volume in the alarm log in the related technology, the data volume in the alarm log is huge, and the false alarm rate of the malicious event is high can be avoided, and the situation that the real malicious event needing to be alarmed is submerged due to the excessive number of the behavior events in the alarm log is also avoided. Therefore, compared with the related technology, the method and the device for processing the alarm log can improve the reliability and accuracy of the alarm log and reduce the data volume of the alarm log.
Based on the above embodiment, since the event anomaly graph can determine the abnormal value of the behavioral event, the abnormal value can clarify the possibility that the corresponding behavioral event is a malicious event, and the abnormal value needs to be relied on to generate the alarm information. Therefore, the accuracy of the constructed event abnormal composition graph is guaranteed by obtaining an abnormal value with high accuracy subsequently, and the efficiency of the constructed event abnormal composition graph directly influences the efficiency of the generated alarm information. To improve the accuracy and the construction efficiency of a constructed event anomaly map. Referring to fig. 2, fig. 2 is a flowchart illustrating a method for constructing an event histogram according to an embodiment of the present invention; the construction process may include:
s201, dividing the behavior data into corresponding time periods according to the behavior occurrence time.
The number of the time periods is not limited in the embodiments of the present invention, and the number of the time periods is related to the time range corresponding to the extracted behavior data of the terminal and the length of each divided time period. For example, when the time range corresponding to the extracted behavior data of the terminal is one day, and the length of each time period is one hour, the number of the obtained time periods is 24. Of course, the embodiment of the present invention does not limit the value of the time range corresponding to the extracted behavior data of the terminal and the value of the length of each divided time segment, and may be set and modified by the user according to the actual application scenario.
It should be noted that, in the embodiment of the present invention, the corresponding lengths of each time period may be the same or different. When the length corresponding to each time period is the same, the time period may be acquired in the following manner: dividing the time range corresponding to the extracted terminal behavior data into a plurality of time periods according to a preset time period length, and dividing the extracted terminal behavior data into corresponding time periods through an observation window corresponding to the preset time period length; of course, the embodiment of the present invention does not limit the value of the preset time period length. When the lengths corresponding to the time periods are different, the time period may be acquired in the following manner: and dividing the time range corresponding to the extracted behavior data of the terminal into a plurality of time periods in sequence according to the preset length of each time period. The embodiment of the present invention does not limit the way of setting the preset lengths of the time periods, for example, the time range corresponding to the extracted behavior data of the terminal may be first distinguished as an idle time range and a busy time range, and then the idle time range may be divided into a plurality of time periods of a first preset length, and the busy time range may be divided into a plurality of time periods of a second preset length; wherein the first preset length is greater than the second preset length; of course, the embodiments of the present invention do not limit the values of the first preset length and the second preset length.
S202, according to the behavior data corresponding to each time period, constructing a time period event heterogeneous graph, and forming the event heterogeneous graphs into the event heterogeneous graph.
The embodiment of the invention determines the time period of each behavior data according to the behavior occurrence time of all the extracted behavior data and divides the time period into corresponding time periods. Namely, all the extracted behavior data are divided into blocks according to the set time periods, the behavior events corresponding to all the behavior data extracted in each time period are put together, the time period event heteromorphic graph corresponding to each time period is generated, and the obtained time period event heteromorphic graphs can form the event heteromorphic graph. That is, the event anomaly map obtained in the embodiment of the present invention includes the time period event anomaly map corresponding to each time period. Of course, the embodiment of the present invention does not limit the manner of constructing the time period event heterogeneous graph corresponding to each time period according to the behavior data corresponding to each time period. For example, it may be in the form of traversing the behavior data, translating the behavior data into two vertices and an edge, adding the edge to the edge set if the current vertex is already in the vertex set, adding a new vertex in the vertex set if the current vertex is not in the vertex set, and adding the edge to the edge set. It can be understood that, in the embodiment of the present invention, the process of constructing the event heteromorphic graph for all the extracted behavior data is avoided by dividing all the extracted behavior data into the partial behavior data corresponding to the plurality of time periods, that is, by dividing the entire behavior data, the efficiency of constructing the event heteromorphic graph for each time period is improved, and further, the efficiency of constructing the finally obtained event heteromorphic graph is improved.
Furthermore, the time corresponding to each time period has a sequence, and a plurality of behavior events occurring in sequence may also have a causal relationship. Accordingly, there may be associations of corresponding behavioral events in respective time periods. In order to improve the accuracy of the constructed time period event heteromorphic graph, the time period event heteromorphic graphs corresponding to the time periods can be sequentially generated according to the sequence of the time periods, and in the process of constructing the time period event heteromorphic graph corresponding to the current time period according to the behavior data corresponding to the current time period, the content corresponding to the behavior data related to the current time period in the previous time period is increased. For example, when the behavioral event corresponding to the first time period includes behavioral data for creating the first file, and the behavioral event corresponding to the second time period includes behavioral data for writing the first data in the created first file, when the time period event different composition corresponding to the second time period is constructed, the content of creating the first file in the first time period may be added to the second time period. Of course, the embodiment of the present invention does not limit the manner of increasing the content corresponding to the behavior data related to the current time period in the previous time period, and for example, the attribute information may be added to the position of the corresponding behavior event in the time period event heterogeneous graph corresponding to the current time period. And further, the generated time period event abnormal graph corresponding to the current time period is prevented from missing the influence of the behavior event in the previous time period on the behavior event corresponding to the current time period.
Further, in order to more clearly characterize the causal relationship between a plurality of consecutive behavior events, the embodiment of the present invention may further mark the time period corresponding to the occurrence of the related behavior event in the time period event heterogeneous graph corresponding to the current time period. For example, when the behavior event corresponding to the first time period has behavior data for creating the first file, and the behavior event corresponding to the second time period has behavior data for writing the first data in the created first file, when the time period event difference graph corresponding to the second time period is constructed, the content of creating the first file in the first time period may be added to the time period event difference graph corresponding to the second time period, and the creation of the first file in the first time period may be marked.
Based on the above technical solution, an embodiment of the present invention provides an alarm information generating method, where an event heteromorphic graph is formed by using a time period event heteromorphic graph constructing manner, and a process of constructing an event heteromorphic graph for all extracted behavior data is avoided by dividing all extracted behavior data into partial behavior data corresponding to a plurality of time periods, that is, by dividing the entire behavior data, efficiency of constructing event heteromorphic graphs for each time period is improved. And the causality of the behavior data corresponding to different time periods is added in the event abnormal graph of each time period, so that the accuracy of the constructed event abnormal graph is improved. Furthermore, the method for constructing the event heteromorphic graph provided by the embodiment of the invention can improve the accuracy and the construction efficiency of the constructed event heteromorphic graph.
Referring to fig. 3, fig. 3 is a flowchart of determining an abnormal value of a specified behavior event according to an embodiment of the present invention; the embodiment of the invention can further improve the accuracy of the abnormal value of the specified behavior event, and the process can comprise the following steps:
s301, according to the event heteromorphic graph, acquiring the activity of a source vertex and the activity of a destination vertex of the designated behavior event, and acquiring the first frequency of the designated behavior event appearing in the event heteromorphic graph.
It should be noted that the event anomaly map constructed in the embodiment of the present invention is a directed graph, for example, a vertex in the event anomaly map is constructed using a source vertex (subject) and a destination vertex (object), an edge in the event anomaly map is constructed using a behavior event (action), the obtained edge is a directed edge, and the source vertex (subject) points to the destination vertex (object).
The embodiment of the present invention does not limit the manner of obtaining the activity of the source vertex and the activity of the destination vertex of the specified behavior event. For example, the corresponding activity level may be determined according to the out-degree of the source vertex of the specified behavior event, and the corresponding activity level may be determined according to the in-degree of the destination vertex of the specified behavior event. The embodiment of the present invention does not limit the manner of determining the corresponding activity level according to the out-degree of the source vertex of the specified behavior event. For example, in the embodiment of the present invention, a manner of determining the corresponding activity according to the out-degree of the source vertex of the specified behavior event may be: in the time period event diversity figures corresponding to all the time periods, determining the number of the time periods with the out-degree of the source vertex with the specified behavior event larger than 0, and taking the ratio of the number of the time periods with the out-degree of the source vertex with the specified behavior event larger than 0 to the total number of the time periods as the activity of the source vertex with the specified behavior event, which can be recorded as act _ out; the liveness of the source vertex for each specified behavioral event may be determined according to the process described above. The embodiment of the present invention does not limit the manner of determining the corresponding activity according to the in-degree of the destination vertex of the specified behavior event. For example, in the embodiment of the present invention, a manner of determining the corresponding activity according to the in-degree of the destination vertex of the specified behavior event may be: in the time period event heteromorphic graphs corresponding to all the time periods, determining the number of the time periods with the out degree of the source vertex with the specified behavior event being greater than 0, and taking the ratio of the number of the time periods with the in degree of the target vertex with the specified behavior event being greater than 0 to the total number of the time periods as the activity degree of the target vertex with the specified behavior event, which can be recorded as act _ in; the liveness of the destination vertex for each specified behavioral event may be determined according to the process described above. Of course, the value 0 is not limited in the embodiment of the present invention, and may be other values, for example, 1.
The process of specifying the first frequency of occurrence of the behavior event in the event anomaly graph in the embodiment of the present invention may be: and counting that the source vertexes are the same and the destination vertexes are the same in the constructed event heterogeneous graph, and taking the number of the corresponding edges with the same behavior event as a first frequency. For example, in the event anomaly graph of the time period corresponding to all the time periods, the statistical source vertex is the same, the destination vertex is the same, and the number of the edges corresponding to the behavior events is the first frequency, which can be denoted as freq. Wherein the first frequency of each specified behavior event can be counted according to the above process.
S302, acquiring a second frequency of similar behavior events corresponding to the specified behavior events in the event anomaly graph; and the source vertex of the similar behavior event has the same label as the source vertex of the specified behavior event, and the destination vertex of the similar behavior event has the same label as the destination vertex of the specified behavior event.
The purpose in step S302 in the embodiment of the present invention is to count the second frequency of occurrence of similar behavior events in the event anomaly map. Wherein, the similar behavior event and the corresponding specified behavior event have a source vertex with the same label, a destination vertex with the same label and an edge with the same label. Therefore, the process of acquiring the second frequency of occurrence of similar behavior events corresponding to the specified behavior event in the event anomaly graph may be: and counting and specifying behavior events from the constructed event heterogeneous graph, wherein the number of similar behavior events of source vertexes with the same label, destination vertexes with the same label and edges with the same label is used as a second frequency. For example, in the event anomaly graph of the time period corresponding to all the time periods, the number of source vertices having the same label, destination vertices having the same label, and edges having the same label is counted as a second frequency, which may be denoted as freq _ sim. The second frequency of the similar behavior event corresponding to each specified behavior event may be counted according to the above process.
S303, obtaining the probability value of the occurrence of the appointed behavior event according to the activity of the source vertex, the activity of the target vertex, the first frequency and the second frequency.
The manner of obtaining the probability value of the occurrence of the specified behavior event in the embodiment of the present invention may be: act _ out act _ in (freq/freq _ sim). Wherein, the probability value of each appointed action event occurrence can be calculated according to the above process.
And S304, determining the abnormal value of the specified behavior event according to the probability value and the negative correlation relationship between the probability value and the abnormal value.
It should be noted that, the embodiment of the present invention does not limit the negative correlation between the probability value and the abnormal value, and the user may set and modify the negative correlation according to the actual situation, as long as the relationship between the probability value and the abnormal value can be determined to be the negative correlation. For example, the abnormal value of the designated behavioral event may be determined according to 1-act _ out act _ in (freq/freq _ sim), that is, the abnormal value of the designated behavioral event is obtained by subtracting the probability value obtained in step S303 from 1. Wherein the abnormal value of each specified behavior event can be calculated according to the above process. Of course, another function having a negative correlation between the input parameter and the output parameter may be used, and the probability value of the specified behavioral event may be input to the function as the input parameter, and the obtained output parameter may be used as the abnormal value of the specified behavioral event. Wherein the abnormal value of each specified behavior event can be calculated according to the above process.
The embodiment of the invention provides an alarm information generation method, wherein the abnormal value of a behavior event can be determined through an event abnormal graph, the possibility that the corresponding behavior event is a malicious event can be determined through the abnormal value, and finally the behavior event needing to be alarmed is selected according to the abnormal value to generate alarm information. Therefore, the accuracy and the reliability of the generated alarm information are improved through the abnormal value; and the accuracy of the abnormal value of the specified behavior event can be further improved by utilizing the abnormal value determination mode.
It should be noted that features that are not mutually inconsistent in the embodiments of the present invention can be arbitrarily combined to form a new embodiment, and the present invention is not limited to the above-mentioned several embodiments. The embodiment of the present application does not limit the execution subject of each of the above embodiments, and the execution subject may be an electronic device, and of course, the electronic device may be the terminal itself.
In the following, the alarm information generating apparatus, the electronic device, and the storage medium according to the embodiments of the present invention are introduced, and the alarm information generating apparatus, the electronic device, and the storage medium described below may be referred to in correspondence with the alarm information generating method described above.
Referring to fig. 4, fig. 4 is a block diagram of an alarm information generating apparatus according to an embodiment of the present invention; the apparatus may include:
an extracting module 110, configured to extract behavior data in the terminal;
the heterogeneous graph generation module 120 is used for constructing an event heterogeneous graph according to the behavior data; wherein edges in the event anomaly graph represent behavioral events;
an abnormal value determination module 130, configured to determine an abnormal value of a specified behavior event in the event heterogeneous graph;
and the alarm information determination module 140 is configured to use the specified behavior event corresponding to the abnormal value meeting the alarm condition as the alarm information.
Based on the above embodiments, the heterogeneous map generation module 120 may include:
the data dividing unit is used for dividing the behavior data into corresponding time periods according to the behavior occurrence time;
and the abnormal composition generating unit is used for constructing the time period event abnormal composition according to the behavior data corresponding to each time period and forming the event abnormal composition by using each time period event abnormal composition.
Based on any of the above embodiments, the alarm information determination module 140 may include:
and the alarm information determining unit is used for arranging the abnormal values in a descending order and taking the specified behavior events corresponding to the abnormal values of the previous preset number as alarm information.
Based on any of the above embodiments, the specified behavior event may be all behavior events in the event anomaly graph; or, the specified behavior event may be all behavior events corresponding to the obtained initial alarm information.
Based on any of the above embodiments, the outlier determination module 130 may include:
the probability acquisition unit is used for acquiring the probability value of the occurrence of the specified behavior event according to the event abnormal graph;
and an abnormal value determination unit for determining an abnormal value of the specified behavior event according to the probability value.
Based on the above embodiment, the probability obtaining unit may include:
the first calculation subunit is used for acquiring the activity of a source vertex and the activity of a destination vertex of the specified behavior event and the first frequency of the specified behavior event appearing in the event abnormity map according to the event abnormity map;
the second calculating subunit is used for acquiring a second frequency of similar behavior events corresponding to the specified behavior events appearing in the event abnormity map; the source vertex of the similar behavior event is the same as the label of the source vertex of the specified behavior event, and the destination vertex of the similar behavior event is the same as the label of the destination vertex of the specified behavior event;
and the probability obtaining subunit is used for obtaining the probability value of the occurrence of the specified behavior event according to the activity of the source vertex, the activity of the target vertex, the first frequency and the second frequency.
Based on the above embodiment, the abnormal value determination unit may include:
and the abnormal value determining subunit is used for determining the abnormal value of the specified behavior event according to the probability value and the negative correlation relationship between the probability value and the abnormal value.
Based on any of the above embodiments, the extraction module 110 may include:
and the extraction unit is used for extracting the behavior data in the terminal from the third party log and the API log.
It should be noted that, based on any of the above embodiments, the device may be implemented based on a programmable logic device, where the programmable logic device includes an FPGA, a CPLD, a single chip, a processor, and the like. These programmable logic devices may be provided in an electronic device.
Corresponding to the above method embodiment, the embodiment of the invention also provides an electronic device. As can be seen in fig. 5, the electronic device may include:
a memory 332 for storing a computer program;
the processor 322 is configured to implement the alert information generating method of the above method embodiment when executing the computer program.
Specifically, referring to fig. 6, a specific structural diagram of an electronic device provided in this embodiment is a schematic diagram of the electronic device, which may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors), a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instructions operating on a data processing device. Still further, the processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the electronic device 301.
The electronic device 301 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
The steps in the above-described alert information generation method may be implemented by the structure of the electronic device. The electronic device may be a terminal (e.g., a computer, a server, etc.), which is not limited in this respect.
Corresponding to the above method embodiment, the embodiment of the invention also provides a storage medium. The storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the alert information generating method of the above-mentioned method embodiments.
The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other storage media capable of storing program codes.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above details describe a method, an apparatus, an electronic device and a storage medium for generating alarm information according to the present invention. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.

Claims (9)

1. A method for generating alarm information is characterized by comprising the following steps:
extracting behavior data in the terminal;
constructing an event abnormal graph according to the behavior data; wherein edges in the event anomaly graph represent behavioral events;
according to the event abnormal graph, acquiring the activity of a source vertex and the activity of a destination vertex of a specified behavior event, and the first frequency of the specified behavior event appearing in the event abnormal graph;
acquiring a second frequency of similar behavior events corresponding to the specified behavior events appearing in the event anomaly map; wherein the source vertex of the similar behavior event has the same label as the source vertex of the specified behavior event, and the destination vertex of the similar behavior event has the same label as the destination vertex of the specified behavior event;
acquiring a probability value of the occurrence of the specified behavior event according to the activity of the source vertex, the activity of the destination vertex, the first frequency and the second frequency;
determining an abnormal value of the specified behavior event according to the probability value;
and taking the specified behavior event corresponding to the abnormal value meeting the alarm condition as alarm information.
2. The method for generating alarm information according to claim 1, wherein the constructing an event anomaly graph according to the behavior data includes:
dividing the behavior data into corresponding time periods according to behavior occurrence time;
constructing a time period event heteromorphic graph according to the behavior data corresponding to each time period;
and forming the event heterogeneous graphs of the time periods into event heterogeneous graphs.
3. The warning information generating method according to claim 1, wherein the using, as the warning information, the specified behavior event corresponding to the abnormal value that satisfies the warning condition includes:
and arranging the abnormal values in a descending order, and taking the specified behavior events corresponding to the abnormal values of the previous preset number as alarm information.
4. The warning information generating method according to claim 1, wherein the specified behavior event is all behavior events in the event anomaly map; or the specified behavior event is all behavior events corresponding to the obtained initial alarm information.
5. The alarm information generating method according to any one of claims 1 to 4, wherein the determining an abnormal value of the specified behavioral event according to the probability value includes:
and determining the abnormal value of the specified behavior event according to the probability value and the negative correlation relationship between the probability value and the abnormal value.
6. The method for generating alarm information according to claim 1, wherein the extracting behavior data in the terminal includes:
and extracting the behavior data in the terminal from the third party log and the API log.
7. An alarm information generating apparatus characterized by comprising:
the extraction module is used for extracting the behavior data in the terminal;
the abnormal graph generating module is used for constructing an event abnormal graph according to the behavior data; wherein edges in the event anomaly graph represent behavioral events;
the event heteromorphic graph related information acquisition module is used for acquiring the activity of a source vertex, the activity of a destination vertex and the first frequency of the specified behavior event in the event heteromorphic graph according to the event heteromorphic graph;
the frequency acquisition module is used for acquiring a second frequency of similar behavior events corresponding to the specified behavior events appearing in the event anomaly map; the source vertex of the similar behavior event and the label of the source vertex of the specified behavior event are the same, and the destination vertex of the similar behavior event and the label of the destination vertex of the specified behavior event are the same;
the probability value acquisition module is used for acquiring the probability value of the occurrence of the specified behavior event according to the activity of the source vertex, the activity of the destination vertex, the first frequency and the second frequency;
an abnormal value determining module, configured to determine an abnormal value of the specified behavior event according to the probability value;
and the alarm information determining module is used for taking the specified behavior event corresponding to the abnormal value meeting the alarm condition as the alarm information.
8. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the alert information generating method of any one of claims 1 to 6 when executing the computer program.
9. A storage medium having stored therein computer-executable instructions which, when loaded and executed by a processor, implement the alert information generation method as claimed in any one of claims 1 to 6.
CN201911304633.0A 2019-12-17 2019-12-17 Alarm information generation method and device, electronic equipment and storage medium Active CN112988501B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201911304633.0A CN112988501B (en) 2019-12-17 2019-12-17 Alarm information generation method and device, electronic equipment and storage medium
PCT/CN2020/136704 WO2021121244A1 (en) 2019-12-17 2020-12-16 Alarm information generation method and apparatus, electronic device, and storage medium
EP20903246.5A EP4080368A4 (en) 2019-12-17 2020-12-16 Alarm information generation method and apparatus, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911304633.0A CN112988501B (en) 2019-12-17 2019-12-17 Alarm information generation method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112988501A CN112988501A (en) 2021-06-18
CN112988501B true CN112988501B (en) 2023-02-03

Family

ID=76343624

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911304633.0A Active CN112988501B (en) 2019-12-17 2019-12-17 Alarm information generation method and device, electronic equipment and storage medium

Country Status (3)

Country Link
EP (1) EP4080368A4 (en)
CN (1) CN112988501B (en)
WO (1) WO2021121244A1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI789075B (en) * 2021-10-26 2023-01-01 中華電信股份有限公司 Electronic device and method for detecting abnormal execution of application program
CN114205011A (en) * 2021-12-15 2022-03-18 浙江华云信息科技有限公司 Wireless signal quality early warning method, device and medium
CN114363148B (en) * 2021-12-20 2023-05-26 绿盟科技集团股份有限公司 Method, device, detection equipment and storage medium for detecting attack alarm
CN114329455B (en) * 2022-03-08 2022-07-29 北京大学 User abnormal behavior detection method and device based on heterogeneous graph embedding
CN114760113B (en) * 2022-03-30 2024-02-23 深信服科技股份有限公司 Abnormality alarm detection method and device, electronic equipment and storage medium
CN114844770B (en) * 2022-04-30 2023-07-14 苏州浪潮智能科技有限公司 Alarm event processing method, device, equipment and medium
CN115118580B (en) * 2022-05-20 2023-10-31 阿里巴巴(中国)有限公司 Alarm analysis method and device
CN115174251B (en) * 2022-07-19 2023-09-05 深信服科技股份有限公司 False alarm identification method and device for safety alarm and storage medium
CN115277368A (en) * 2022-08-02 2022-11-01 上海宏时数据系统有限公司 Multi-platform alarm method, device, electronic equipment and storage medium
CN115033463B (en) * 2022-08-12 2022-11-22 北京优特捷信息技术有限公司 System exception type determining method, device, equipment and storage medium
CN116089231B (en) * 2023-02-13 2023-09-15 北京优特捷信息技术有限公司 Fault alarm method and device, electronic equipment and storage medium

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5455866B2 (en) * 2010-10-28 2014-03-26 株式会社日立製作所 Abnormality diagnosis device and industrial machine
US9225730B1 (en) * 2014-03-19 2015-12-29 Amazon Technologies, Inc. Graph based detection of anomalous activity
WO2015140842A1 (en) * 2014-03-20 2015-09-24 日本電気株式会社 System-monitoring information processing device and monitoring method
CN104123368B (en) * 2014-07-24 2017-06-13 中国软件与技术服务股份有限公司 The method for early warning and system of big data Importance of Attributes and identification based on cluster
US11200130B2 (en) * 2015-09-18 2021-12-14 Splunk Inc. Automatic entity control in a machine data driven service monitoring system
US10042697B2 (en) * 2015-05-28 2018-08-07 Oracle International Corporation Automatic anomaly detection and resolution system
CN107066365B (en) * 2017-02-20 2021-01-01 创新先进技术有限公司 System abnormity monitoring method and device
US10505954B2 (en) * 2017-06-14 2019-12-10 Microsoft Technology Licensing, Llc Detecting malicious lateral movement across a computer network
US11816586B2 (en) * 2017-11-13 2023-11-14 International Business Machines Corporation Event identification through machine learning
CA3041871A1 (en) * 2018-05-01 2019-11-01 Royal Bank Of Canada System and method for monitoring security attack chains
CN110189167B (en) * 2019-05-20 2021-06-08 华南理工大学 Mobile advertisement fraud detection method based on heterogeneous graph embedding
CN110223106B (en) * 2019-05-20 2021-09-21 华南理工大学 Deep learning-based fraud application detection method
CN110321268B (en) * 2019-06-12 2022-11-08 平安科技(深圳)有限公司 Alarm information processing method and device
CN110322153A (en) * 2019-07-09 2019-10-11 中国工商银行股份有限公司 Monitor event processing method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
医疗保险大数据中的欺诈检测关键问题研究;高永昌;《中国优秀博硕士学位论文全文数据库(博士)》;20190215(第2期);E053-6 *

Also Published As

Publication number Publication date
CN112988501A (en) 2021-06-18
EP4080368A1 (en) 2022-10-26
WO2021121244A1 (en) 2021-06-24
EP4080368A4 (en) 2023-12-06

Similar Documents

Publication Publication Date Title
CN112988501B (en) Alarm information generation method and device, electronic equipment and storage medium
US10936717B1 (en) Monitoring containers running on container host devices for detection of anomalies in current container behavior
US9357397B2 (en) Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device
CN106375331B (en) Attack organization mining method and device
EP4080842A1 (en) Method and apparatus for obtaining malicious event information, and electronic device
EP3954145A1 (en) Adaptive severity functions for alerts
EP3772004B1 (en) Malicious incident visualization
CN112511512A (en) Vulnerability scanning engine and risk management system of threat detection engine
CN114363044B (en) Hierarchical alarm method, hierarchical alarm system, storage medium and terminal
CN105512562B (en) Vulnerability mining method and device and electronic equipment
CN111259382A (en) Malicious behavior identification method, device and system and storage medium
CN113098852B (en) Log processing method and device
WO2023235408A1 (en) Adaptive system for network and security management
CN115827379A (en) Abnormal process detection method, device, equipment and medium
CN113014587B (en) API detection method and device, electronic equipment and storage medium
US11677582B2 (en) Detecting anomalies on a controller area network bus
CN113595797A (en) Alarm information processing method and device, electronic equipment and storage medium
CN112468516A (en) Security defense method and device, electronic equipment and storage medium
US20240106838A1 (en) Systems and methods for detecting malicious events
CN114629942B (en) Fraud early warning task generation method, device, equipment and medium
CN111147497B (en) Intrusion detection method, device and equipment based on knowledge inequality
US20230412637A1 (en) Hardware detection and prevention of cryptojacking
CN110324150B (en) Data storage method and device, computer readable storage medium and electronic equipment
Dixon Exploring low profile techniques for malicious code detection on smartphones
CN116010165A (en) Data recovery method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant